Skip to content

Read the Docs vulnerable to Cross-Site Scripting (XSS)

Moderate severity GitHub Reviewed Published Nov 9, 2022 in readthedocs/readthedocs.org • Updated Jan 7, 2023

Package

npm readthedocs (npm)

Affected versions

< 8.8.1

Patched versions

8.8.1

Description

Impact

This vulnerability allowed a malicious user to serve arbitrary HTML files from the main application domain (readthedocs[.]org/readthedocs[.]com) by exploiting a vulnerability in the code that serves downloadable content from a project.

Exploiting this would have required the attacker to get a logged-in user to visit the malicious URL, which would have allowed the attacker to take control of the user's session with JavaScript (making requests to the API/site on behalf of the user). This URL would have looked something like hxxps[:]//readthedocs[.]org/projects/attacker-project/downloads/html/version-with-javascript-attack/.

Patches

This issue has been patched in our 8.8.1 release.

References

@ericholscher ericholscher published to readthedocs/readthedocs.org Nov 9, 2022
Published to the GitHub Advisory Database Nov 10, 2022
Reviewed Nov 10, 2022
Last updated Jan 7, 2023

Severity

Moderate

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-98pf-gfh3-x3mp

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.